If this is your first visit, be sure to
check out the Forum Rules by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Backtrack 5 R2 priv escalation 0day found in CTF exercise

wicd Privilege Escalation 0DayTested against Backtrack 5, 5 R2, Arch distributions Spawns a root shell. Has not been tested for potential remote exploitation vectors. Discovered by a student that wishes to remain anonymous in the course CTF. This 0day exploit for Backtrack 5 R2 was discovered by a student in the InfoSec Institute Ethical Hacking class, during an evening CTF exercise. The student wishes to remain anonymous, he has contributed a python version of the 0day, a patch that can be applied to wicd, as well as a writeup detailing the discovery and exploitation process.

Re: Backtrack 5 R2 priv escalation 0day found in CTF exercise

This post is a bad example of a bug report, for several reasons.

1) The title of this vulnerability should probably be "WICD Priv Escalation". As such, it should probably be reported to the WICD developers, as opposed to the BackTrack development team. If you still felt the bug report should be posted to us, the right place to post it would be "BackTrack bugs" (although it is not), or even better, our redmine ticket system.

2) Giving the pre-requisites for the exploit to function would be helpful. In this case, you would need to create a non root user in BackTrack, have a remote attacker access BT with that non privileged account or have an unprivileged shell from a previous attack against another service, and then have that user attempt to connect to a wireless access point (assuming wicd is running as root). This is far from the default configuration in BackTrack, which further negates the title of this vulnerability.

3) Making a mountain out of a molehill for the purpose of promoting a product or service is generally frowned upon by the security industry, especially when one already has a bad reputation.
4) Once this bug is tended to by the WICD developers, we will use their official patch rather than patching our packages using untrusted sources.